I have a Tornado server running on some port
And if I make a request via browser to non existing url, Tornado prints:
WARNING:tornado.access:404 POST /some_url/ (MY.REAL.IP) 0.64ms python
But I noticed another 404 error done via localhost:
WARNING:tornado.access:404 POST /some_url/ (127.0.0.1) 0.64ms python
Is it possible in theory, that this request was done by some "cool hacker" from remote server using curl --resolve or something?
The only way this address should be spoofable would be if you set xheaders=True in your HTTPServer constructor. If you use xheaders=True, you should also be using a frontend proxy that sanitizes headers appropriately so it will not allow X-Real-IP headers from outside sources.
Related
I'm new to Ubuntu and Apache.
When I CRUD through Express, instead of using the serverĀ“s localhost, server/browser will use my computer's localhost.
If I turn off Express server in localhost, the server's get, post and delete don't work, and I can't seem to find a way to use the server's localhost instead of my computer's.
I've also tried sending my requests to:
http://localhost:8383/decrypted
http://127.0.0.1:8383/decrypted
The routes above throw an error as they are http and server is https.
https://example.com/8383/decrypted
The route about throws error connection refused
https://example.com/8080/decrypted
I tried adding a virtualhost in 8080 and routing it through apache to 8383, but shows the same error as above, connection refused.
How can I make the server use its localhost instead of the user's localhost?
I am using ngrok to expose my react app. Due to an "invalid host header", I have re-written the host header using ngrok http 3000 -host-header="localhost:3000", which works fine.
The problem that I am encountering is that when I added in my backend node.js server, I added multiple tunnels to my ngrok.yml file :
tunnels:
first:
addr: 3000
proto: http
second:
addr: 5000
proto: http
Now, to expose react & node.js, I am using
ngrok start --all
But now I am back to the issue where I am getting the invalid host header on my front end. How do I rewrite my host header for my front end with the "ngrok start --all"?
I have managed to solve this issue for others who do encounter a similar situation.
In the ngrok.yml file, include host_header: "localhost:3000"
I have the following setup:
Client => Proxy server => Origin Server
I'm using the following Node.js libraries for each of these pieces, respectively:
isomorphic-fetch => http-proxy => http
Here's a gist of the setup in two files, one for each of the servers and one for the client: https://gist.github.com/headquarters/850cbb199ff397c6da56fb8d86113a7e
To run this locally, run node server.js in one shell and node fetch.js in another shell.
With the servers running, if I go to http://localhost:8818 in a browser, I get the sample response {"a":"b"}, so that's working. If I go to http://localhost:9818, I also get that response, so the proxying appears to be working fine. However, if I run DEBUG=* node fetch.js, which includes the HTTP proxy agent, the request fails (see output at https://gist.github.com/headquarters/850cbb199ff397c6da56fb8d86113a7e#file-failure-txt).
Without the agent property, the fetch command works fine on the command line. How do I go about debugging this socket hang up error?
Turns out I didn't read the https-proxy-agent docs closely enough. This line was a bit confusing: An HTTP(s) proxy http.Agent implementation for HTTPS--the PROXY itself can be either HTTP or HTTPS, but the origin server has to be HTTPS for this flavor of proxy-agent. For an HTTP origin server, I had to use http-proxy-agent. Thus, the socket hang up was probably coming from https.Agent trying to access an HTTP endpoint. It worked when I switched to http-proxy-agent.
I have an existing ssl certificate through LetsEncrypt for my domain. On the same server as my site I have an express app running at port :8080. Before adding the SSL to the domain I was able to make requests to http://domainname:8080.com. Now that the domain making the requests is https it obviously can't make those requests. If I instead make requests to https://domainname:8080.com, I get no response and instead get a timeout error.
I have attempted to curl -X -POST on the server manually and it returns (35) gnutls_handshake() failed: The TLS connection was non-properly terminated. If I however run the same command pointing to the non https domain it executes correctly. I also tried installing the https modules for express and pointing it to the same certs I'm using for the domain. For all my effort I cannot get this to work. What am I missing here? I want to make requests to a port on the same server that is serving my app.
Setup a reverse proxy in my nginx site config from the domain to the ip address the express server was running on. This solved all the issues I was having.
I have one Custom Linux board on which I want to
run apache web server (httpd) to test HTML
and other web based pages.
I have configured, cross compiled and installed httpd (2.2.24, 2.4.1, 2.4.4 and 2.4.9 packages) on my Linux PC (Ubuntu 12.04 LTS) as well as
on my own custom Linux board. Then I have added support of SSL Module (mod_ssl) to test HTTP as well as HTTPS request.
Both HTTP and HTTPS request works fine without any issue on my Linux PC (Ubuntu 12.04 LTS). But when I tried to execute same HTTP request
on my Linux Board using httpd (2.4.4 and 2.4.9 with SSL Module Enabled) at that time browser page goes into loading state and can not be came out from that situation.
Also I have seen that HTTPS request works fine at that time ( not HTTP )
I have also did some debugging task through wire-shark tool and found that connection is established successfully after sending request through HTTP
but can not get response of that request. I have also found that response of that HTTP request received on wire-shark after closing that HTTP
requested page from browser.
Also, I can run HTTP and HTTPS requests successfully using httpd (2.2.24 and 2.2.27 with SSL Module enabled) on my Linux Board as well but failed to execute same request
using httpd (2.4.X with SSL Module enabled) package.
I have also changed some configurations by creating different virtual host for HTTP (Port 80) and HTTPS (Port 443) but still failed to
execute that HTTP request.
I have also tried to listen on different ports like (Listen 80 and Listen 8000) without SSL module (using httpd 2.4.4. and 2.4.9 ) at that
time HTTP request goes into loading state.
Basically all thing works in version 2.2.x but not in 2.4.x.
Does anyone has idea about this issue or help me to solve this type of issue?
I have faced similar type of problem while requesting HTTP Page on multiple Listen Directive in my custom linux board.
Please configure APR Package with ac_cv_o_nonblock_inherited=no flag and configured int with httpd package which will solve HTTP request failed issue on multiple Listen Port.